Two security flaws in Intel, AMD and ARM processors were discovered. These flaws allow malicious users to read memory and access secrets, like passwords.
Security flaws put virtually all phones, computers at risk
Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
Update your devices as soon as possible.
Oldest comments (9)
This has to be the worst vulnerability I've ever heard of. It takes advantage of a layer between apps and data that users expect to be totally secure.
I wonder if it has been exploited by someone before it became widely known. How likely is it that black hats/govts could know about it and use it secretly?
From the Reuters article:
I haven't heard of any exploits in the wild yet. Although, keeping vulnerabilities secret to use as zero-day attacks is the standard operating procedure of the NSA. And if the NSA knows about it, black hats probably know about it too. I would actually be surprised if that wasn't the case.
I think it's only to be expected that as the processors add more logic the likelihood of security flaws will increase. I see a potential market for having lowered power, and far less complex chips, for security intense operations...
...that is, assuming the public ever truly cares about security breaches, viruses, spam, malware etc. We've shown a strong reluctance not to care before.
The other side of the coin is update lethargy (or failure to make updates pain-free). Either way, there needs to be a shift.
Passwords, updates, phishing, etc. There are a lot of security issues education, while always evolving, are pretty evergreen in the computer age and we should be teaching this stuff a lot.
I think the shift has to be fundamental. A model that requires continuous updates is an never-ending war, and the faults will just continue. Were systems instead designed for security from the ground up then update lethargy wouldn't be as serious as a problem (though attackers have shown some extreme ingenuity in recent times).
But, as you say, unless education of the average internet user is improved, there will be no push towards any kind of security shift. This is kind of scary. In contrast, this Intel defect is really kind of harmless in contrast to what people willingly share about themselves online.
Education and awareness are probably the biggest issues.
You just hit the nail on the head. I totally agree that this is an education issue. The average end-user doesn't know what phishing is. That just makes it easier for them to get owned by it. The same is true of many other vulnerabilities. And even more so with user practices, like using the same password over and over. Even after Equifax, the average user doesn't care. Perhaps this needs to be a bigger part of public education.
SharedArrayBuffer and performance analytics are also being temporarily disabled in browsers in the mean time
Chrome: chromium.org/Home/chromium-securit...
Firefox: blog.mozilla.org/security/2018/01/...
Edge too
If anyone's curious about how Meltdown works, here's my attempt to explain it very simply: dev.to/isaacandsuch/how-meltdown-w...